A timeline of hash functions

Diffie & Hellman publish 'New Directions in Cryptography', coins the term 'cryptographic hash function' alongside public-key cryptography.

Merkle's foundational 1979 work introduces hash trees (Merkle trees) and the basis of iterated hash design.

Ronald Rivest publishes the Message Digest 2 algorithm. 128-bit output, originally aimed at 8-bit microprocessors.

Ivan Damgård and Ralph Merkle independently publish the design principle for chaining hash compressions.

Rivest's MD4 design, 32-bit-word friendly, very fast. The structural template for the whole MD/SHA family.

MD5, strengthened MD4 with an extra round and tweaked nonlinear functions. The dominant hash of the 1990s.

Rivest publishes MD5 as RFC 1321. It will go on to become one of the most-implemented algorithms in software history.

NIST publishes the Secure Hash Algorithm. 160-bit output. Withdrawn within months because of an undisclosed flaw discovered by the NSA.

SHA-1, the public re-release of SHA with one extra rotation in the message schedule. NIST FIPS 180-1.

Hans Dobbertin demonstrates practical MD4 collisions, ending MD4's use in serious cryptographic contexts.

Dobbertin, Bosselaers, Preneel publish RIPEMD-160, strengthened RIPEMD with parallel branches. Bitcoin will adopt it twelve years later.

Bellare, Canetti, Krawczyk publish the HMAC construction. RFC 2104 follows in 1997.

Provos and Mazières publish bcrypt at USENIX, the first widely-deployed password hash with a tunable cost factor.

Barreto and Rijmen submit Whirlpool to the NESSIE project, a 512-bit hash on an AES-like block cipher.

NIST publishes SHA-256, SHA-512, SHA-384, SHA-224. The new family addresses concerns about SHA-1's 160-bit output.

Xiaoyun Wang and Hongbo Yu's CRYPTO 2004 rump session demonstrates practical MD5 collisions. Within months, collision attacks are running on laptops.

Wang, Yin, Yu publish theoretical SHA-1 collision attacks reducing the work factor from 2^80 to 2^69.

NIST opens the SHA-3 competition, calling for new hash designs structurally different from SHA-2. 64 submissions arrive by 2008.

Satoshi Nakamoto publishes the Bitcoin paper, SHA-256d (double SHA-256) becomes the proof-of-work primitive for the largest cryptocurrency. RIPEMD-160 enters production for addresses.

Stevens, Lenstra, de Weger build a chosen-prefix MD5 collision and use it to forge a CA certificate. Web certificate authorities deprecate MD5 signatures.

Colin Percival publishes scrypt: the first widely-deployed memory-hard password hash. Litecoin will pick it up two years later.

Hugo Krawczyk publishes HKDF, the modern default key-derivation function for non-password key derivation. TLS 1.3, Signal, WireGuard will all use it.

Google releases CityHash, a Murmur-class non-cryptographic hash with better distribution and SSE4.2-accelerated paths.

State-sponsored Flame cyber-espionage tool forges a Microsoft Windows code-signing certificate using a chosen-prefix MD5 collision. Stevens reverse-engineers the attack later that year.

6.5 million unsalted SHA-1 password hashes leaked publicly. ~90% cracked within hours by rainbow tables. The case study for every password storage talk since.

Aumasson and Bernstein publish SipHash, a keyed PRF designed specifically to defeat hash-flooding attacks against language-runtime hash tables.

NIST selects Keccak (Bertoni, Daemen, Peeters, Van Assche) as the SHA-3 standard. A sponge construction structurally different from SHA-2.

Aumasson, Neves, Wilcox-O'Hearn, Winnerlein publish BLAKE2, faster than SHA-2 and SHA-3, with built-in keyed mode replacing HMAC.

NIST FIPS 202 finalizes SHA-3 (224/256/384/512) and SHAKE128/256. The padding rule changes between submission and final, which is why Ethereum's 'keccak256' is not SHA3-256.

The Password Hashing Competition concludes; Argon2 wins. Three variants (Argon2i/d/id) for different threat models.

BLAKE2 gets an IETF RFC. libsodium adopts BLAKE2b as the default for crypto_generichash.

MiMC (Albrecht, Grassi, Rechberger, Roy, Tiessen), the first deliberately SNARK-friendly hash to gain real-world use. Iterates x → (x + c)³ in a prime field.

SHA-1 falls. Stevens, Bursztein, Karpman, Albertini, Markov publish two PDF documents with the same SHA-1 hash. Cost: ~6,500 CPU-years donated by Google.

TLS 1.3 ships, with HKDF-SHA-256 / SHA-384 throughout the key schedule. The new design also drops the long list of MAC-then-encrypt ciphersuites that hurt TLS 1.2.

Yann Collet releases xxHash3, the third generation of xxHash, with SIMD paths reaching tens of GiB/s.

Grassi, Khovratovich, Rechberger, Roy, Schofnegger post the Poseidon hash design. ZK rollups start adopting it within months.

BLAKE3 ships, parallel Merkle-tree hash, fastest secure hash on modern CPUs. Built-in keyed and derive_key modes replace HMAC and HKDF for many uses.

Leurent and Peyrin make chosen-prefix SHA-1 collisions practical. The same primitive that fueled the Flame attack on MD5 now applies to SHA-1.

Szepieniec, Ashur, Dhooghe publish Rescue-Prime, SNARK-friendly hash with alternating x^α and x^(1/α) S-boxes.

RFC 9106 standardizes Argon2. The IETF reference now matches the PHC-selected design and parameter recommendations.

Final, peer-reviewed Poseidon paper at USENIX Security 2021. By now StarkNet, Aztec, Aleo, Mina, and Filecoin all use it in production.

Apple's perceptual hash for client-side CSAM detection is reverse-engineered and collisions are demonstrated within days of disclosure. Apple shelves the client-side scanning plan.

After 28 years as a de facto convention, robots.txt finally gets a formal RFC. (Adjacent to hash functions because llms.txt / ai.txt proposals will follow with similar shape.)

Grassi, Khovratovich, Rechberger, Schofnegger publish Poseidon2, simpler matrix multiplications, slightly better circuit cost. New ZK designs pick Poseidon2.

NIST finalizes the SPHINCS+ hash-based signature scheme as SLH-DSA. Hash-based signatures become the conservative post-quantum signature choice.

A multi-year supply-chain attack on liblzma is discovered. Not a hash-function attack per se, but a sobering reminder that hash-function-strength bug bars do not apply to the integration glue around them.

This site goes live, an interactive reference for every major hash family, with side-by-side tools and a step-by-step Merkle-Damgård / sponge animator.